Winfixer Auto-Redirect Dirty Spyware?

[GeForceX]

I'm having this issue with a friend's computer. Every once in a while when I click on the Windows Update IE icon, Windows Update loads as it should. However, with enough time, it will quickly change into this link:
http://www.winfixer.com/download/2006?p=20&ex=1&ax=2&aid=vm_tx_vfx6kw_9&lid=error+winfix and the title will end up saying "Add/Remove Programs" which is a blatant lie.

NOTE: PLEASE DO NOT CLICK ON THE LINK UNLESS YOU ARE USING A TEST COMPUTER. I AM NOT RESPONSIBLE IF IT INFECTS YOUR COMPUTER.

I tried cleaning out his IE settings and running enough anti-spyware programs and this problem still occurs. I'm afraid it must've been hidden deep into his registry. Firefox works just fine however. Even though I can recommend him using just Firefox, I rather find the culprit and delete it for safety reasons.

Anyone got an idea?

Edit: I looked up and did some deep cookie hacking and came up with several ip's from winfixer:

64.125.84.23
202.67.220.227
62.4.84.53 (going there reveals a blank site that says "hi".)

And some IP look ups reveals one from Korea and another from Germany. Something tells me that either they're the ones that are doing it or their PC's are drones now? Correct me if I'm wrong.

-J.

 

[S1nF1xx]

Winfixer is spyware.

I think that was your question anyway.

 

[GeForceX]

Right you are. But being impossible to delete - how do you delete it is the real question.

-J.

 

[S1nF1xx]

Ok, just making sure. I realized at about 8:15 this morning that I'm really friggin' tired and can't offer support today.
I'll try again tomorrow when I can once again put 2+2 together.

 

[GeForceX]

Thanks.

-J.

 

[S1nF1xx]

Ahhh, well rested and ready to help. But I've never battled winfixer personally.

It sounds like the best bet is using hijackthis and posting the results on their forums. Also I've heard of an automatic hijackthis analizer but don't have a link or any experience with it.

Most of the other links I've seen were pimping Xoftspy as being able to remove it. I've never used or even heard of this software though so I can't recommend it.

 

[GeForceX]

Here we go... I've done all various online and program-based anti-virus/spyware scans. I finally did HijackThis:

Logfile of HijackThis v1.99.1
Scan saved at 2:10:20 AM, on 1/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
D:\Diskeeper\DkService.exe
C:\Documents and Settings\x19-Yiffzer\Desktop\HijackThis.exe

O2 - BHO: ATLDistrib Object - {2353FCBC-012D-487B-8BF3-865C0929FBEB} - C:\WINDOWS\system32\awvtu.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - Startup: Xfire.lnk = E:\XFire\Xfire.exe
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O20 - Winlogon Notify: awvtu - C:\WINDOWS\system32\awvtu.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\AVGFRE~1\avgemc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - D:\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

The only problem I see is this line:

O2 - BHO: ATLDistrib Object - {2353FCBC-012D-487B-8BF3-865C0929FBEB} - C:\WINDOWS\system32\awvtu.dll

I searched it on Google and saw it had to do with WinFixer. Bingo! The problem though - it's impossible to remove. Any solutions?

-J.

 

[LoStMaTt]

www.ewido.net

Very powerful Malware scanner. It will destroy WinFixer.

 

[streetkid]

I believe norton has very detailed instructions for removing winfixer, I had to get it off my aunts computer, the procedure worked flawlessly. If its not norton, just google it. It is indeed spyware, and you putting a link to it should be a banable offense, reguardless of that stupid ass disclaimer

 

[Joves]

I agree you should post a link to known Spyware. Well if you dont get it removed, there is always reformatting. If that ends up being the course use eraser for the inal formatting procedure. You can google Eraser which is a great little free proggie.